Iranian cybercriminals identified by AFP and ACSC in joint cybersecurity advisory

Iranian cybercriminals identified by AFP and ACSC in joint cybersecurity advisory

In an increasingly digital world, the security of user accounts has become a top priority for organisations, especially those with a significant online presence. Recently, several Fortune-500 companies, including those with Azure subscriptions, have taken proactive steps to enhance their security measures.

One key area of focus has been Multi-Factor Authentication (MFA), a security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity. Here are some strategies these organisations are employing to ensure robust MFA coverage:

1. Unexpected Locales and Devices: Organisations are looking for MFA registrations from unfamiliar devices or locations that deviate from the norm. This helps to identify potential unauthorised access attempts.
2. Suspicious Logins: Organisations are scrutinising logins with changing usernames, user agent strings, and IP address combinations. Such inconsistencies could indicate a malicious attempt to gain access.
3. Multiple Accounts and IP Usage: Investigating user accounts that use a single IP for multiple accounts, excluding expected logins, can help uncover suspicious activities.
4. Unusual Login Locations and Patterns: User accounts exhibiting unusual login locations or patterns are being investigated to detect potential security breaches.
5. Login Failures: Organisations are keeping a close eye on user accounts that experience multiple login failures within a short timeframe, which could be a sign of brute-force attacks.
6. Account Deactivation: Upon staff departure, user accounts and access to organisational resources are being disabled to prevent unauthorised access.
7. Frequent Password Changes: User accounts that frequently change their passwords are being investigated to ensure these changes are not a result of compromised accounts.
8. Privileged Account Use: Organisations are monitoring privileged account use after resetting passwords or applying user account mitigations to prevent unauthorised access.
9. Dormant Accounts: Unusual activity in typically dormant accounts is being examined to identify potential security issues.
10. Suspicious Scripts and Processes: Accounts that have been used to execute suspicious scripts or processes are being investigated.
11. Credential Dumping: Organisations are looking for processes and program execution command-line arguments that may indicate credential dumping, a technique used by cybercriminals to steal login credentials.
12. Account Creation and Deletion: Large numbers of account creations or deletions in a short timeframe are being examined to detect potential malicious activities.
13. Excessive Permissions: User accounts that have been granted excessive permissions or access to sensitive resources are being reviewed to ensure proper access control.
14. Password Management: Organisations are reviewing IT helpdesk password management to ensure initial passwords, password resets for user lockouts, and shared accounts are handled securely.
15. Unusual User Agent Strings: Organisations are investigating user agent strings that are not typically associated with normal user activity.
16. Access Beyond Scope: User accounts that have been used to access resources beyond their designated scope are being investigated.
17. Out-of-Hours Activity: User accounts that have been accessed outside of normal business hours are being scrutinised.
18. Data Breach History: User accounts with a history of data breaches or security incidents are being examined.
19. Long Periods of Inactivity: Accounts with long periods of inactivity, followed by sudden activity, are being investigated.
20. Impossible Travel: Organisations are looking for user accounts that log in from multiple IP addresses with significant geographic distance in a short timeframe, a phenomenon known as impossible travel.

These measures, coupled with continuous reviews of MFA settings and the use of tools like Conditional Access policies and Security Defaults in Microsoft 365 and Microsoft Entra ID, are helping organisations strengthen the protection of their user accounts and exposed services. By staying vigilant and proactive, organisations can minimise the risk of security breaches and protect their digital assets effectively.

Read also:

• Urgent Action: Users of Smartphones Advised to Instantly Erase Specific Messages, as per FBI Admonition
• Latest Update in Autonomous Vehicle Sector featuring Applied Intuition, Hesai, Plus, Tesla, Pony.ai, and Wayve
• Challenges impeding the implementation of AI, as cited by Chief Information Security Officers, along with potential solutions
• North Korean Cyber operatives utilized over thirty false identities to infiltrate and participate in cryptocurrency initiatives.